bitwarden · jaasen-livefront · Apr 23, 2026 · Apr 30, 2026
@@ -18,7 +18,6 @@
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
-using Bit.Core.Tools.Services;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Authorization.Permissions;
 using Bit.Core.Vault.Commands.Interfaces;
@@ -1609,15 +1608,20 @@ public async Task<ObjectResult> AzureValidateFile()
                     try
                     {
                         var blobName = eventGridEvent.Subject.Split($"{AzureAttachmentStorageService.EventGridEnabledContainerName}/blobs/")[1];
-                        var (cipherId, organizationId, attachmentId) = AzureAttachmentStorageService.IdentifiersFromBlobName(blobName);
+                        var (cipherId, _, attachmentId) = AzureAttachmentStorageService.IdentifiersFromBlobName(blobName);
                         var cipher = await _cipherRepository.GetByIdAsync(new Guid(cipherId));
                         var attachments = cipher?.GetAttachments() ?? new Dictionary<string, CipherAttachment.MetaData>();
 
                         if (cipher == null || !attachments.TryGetValue(attachmentId, out var attachment) || attachment.Validated)
                         {
-                            if (_attachmentStorageService is AzureSendFileStorageService azureFileStorageService)
+                            if (_attachmentStorageService.FileUploadType == FileUploadType.Azure)
                             {
-                                await azureFileStorageService.DeleteBlobAsync(blobName);
+                                await _attachmentStorageService.DeleteAttachmentAsync(new Guid(cipherId),
+                                    new CipherAttachment.MetaData
+                                    {
+                                        AttachmentId = attachmentId,
+                                        ContainerName = AzureAttachmentStorageService.EventGridEnabledContainerName,
+                                    });
                             }
 
                             return;

@@ -1,6 +1,8 @@
 using System.Security.Claims;
+using System.Text;
 using System.Text.Json;
 using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.Utilities;
 using Bit.Api.Vault.Controllers;
 using Bit.Api.Vault.Models;
 using Bit.Api.Vault.Models.Request;
@@ -2442,4 +2444,54 @@ public async Task DownloadAttachmentAsync_ValidToken_ReturnsFile(
         Assert.Equal(fileName, fileResult.FileDownloadName);
         Assert.Same(stream, fileResult.FileStream);
     }
+
+    [Theory, BitAutoData]
+    public async Task AzureValidateFile_WhenCipherNotFound_DeletesOrphanedBlob(
+        Guid cipherId,
+        string attachmentId,
+        SutProvider<CiphersController> sutProvider)
+    {
+        var eventGridKey = "test-event-grid-key";
+        var previousEventGridKey = ApiHelpers.EventGridKey;
+        ApiHelpers.EventGridKey = eventGridKey;
+
+        try
+        {
+            var requestPayload = $$"""
+            [
+              {
+                "id": "{{Guid.NewGuid()}}",
+                "eventType": "Microsoft.Storage.BlobCreated",
+                "subject": "/blobServices/default/containers/{{AzureAttachmentStorageService.EventGridEnabledContainerName}}/blobs/{{cipherId}}/{{attachmentId}}",
+                "eventTime": "{{DateTime.UtcNow:O}}",
+                "data": {},
+                "dataVersion": "1"
+              }
+            ]
+            """;
+
+            var httpContext = new DefaultHttpContext();
+            httpContext.Request.QueryString = new QueryString($"?key={eventGridKey}");
+            httpContext.Request.Body = new MemoryStream(Encoding.UTF8.GetBytes(requestPayload));
+
+            sutProvider.Sut.ControllerContext = new ControllerContext
+            {
+                HttpContext = httpContext,
+            };
+
+            sutProvider.GetDependency<IAttachmentStorageService>().FileUploadType.Returns(FileUploadType.Azure);
+            sutProvider.GetDependency<ICipherRepository>().GetByIdAsync(cipherId).ReturnsNull();
+
+            await sutProvider.Sut.AzureValidateFile();
+
+            await sutProvider.GetDependency<IAttachmentStorageService>().Received(1)
+                .DeleteAttachmentAsync(cipherId, Arg.Is<CipherAttachment.MetaData>(metadata =>
+                    metadata.AttachmentId == attachmentId &&
+                    metadata.ContainerName == AzureAttachmentStorageService.EventGridEnabledContainerName));
+        }
+        finally
+        {
+            ApiHelpers.EventGridKey = previousEventGridKey;
+        }
+    }
 }